Cloudflare Tunnel
Connect your servers to OEC.sh without a public IP address or open firewall ports. Cloudflare Tunnel creates a secure, outbound-only connection from your server to Cloudflare's global network, letting OEC.sh manage your Odoo environments through a zero-trust architecture.
Why Use Cloudflare Tunnel?
Cloudflare Tunnel is ideal when your server:
- Has no public IP — servers behind NAT, corporate firewalls, or private networks
- Cannot open inbound ports — strict firewall policies that block SSH (22), HTTP (80), or HTTPS (443)
- Needs zero-trust security — no exposed attack surface, all traffic routed through Cloudflare's edge
- Is in a restricted environment — on-premise data centers, VPNs, or cloud VPCs without public access
Traditional BYOS setup requires a publicly reachable IP and open ports. Cloudflare Tunnel eliminates both requirements — your server only makes outbound connections to Cloudflare.
How It Works
Direct SSH (Traditional)
You → SSH → Server IP:22 → Server
Browser → HTTPS → Server IP:443 → Traefik → OdooYour server needs a public IP. Ports 22, 80, and 443 must be open.
Cloudflare Tunnel
You → SSH → t-xxxxxxxx.oec.sh → Cloudflare Edge → Tunnel → Server (localhost:22)
Browser → HTTPS → app.apps.oec.sh → Cloudflare Edge → Tunnel → Server (localhost:443) → Traefik → OdooYour server connects outbound to Cloudflare. No public IP needed. No open ports. Cloudflare handles DNS, TLS termination, and traffic routing automatically.
The cloudflared daemon runs on your server as a systemd service. It maintains a persistent outbound connection to Cloudflare's edge network. All SSH and HTTP traffic flows through this tunnel.
Direct SSH vs Cloudflare Tunnel
| Feature | Direct SSH | Cloudflare Tunnel |
|---|---|---|
| Public IP required | Yes | No |
| Open firewall ports | 22, 80, 443 | None |
| SSH latency | ~50-100ms | ~200-400ms |
| DNS setup | A record → server IP | Automatic CNAME → Cloudflare |
| SSL certificates | Let's Encrypt (auto) | Cloudflare edge (auto) |
| Security model | Network + SSH auth | Zero-trust + SSH auth |
| Setup complexity | Enter IP + credentials | Run install script |
| Server location | Must be publicly reachable | Anywhere with internet |
Prerequisites
Before setting up a tunnel, make sure you have:
Cloudflare Tunnel is available on Pro plans and above. If you're on the Free or Starter plan, upgrade in Settings → Subscription & Billing.
-
Cloudflare account — A free Cloudflare account is sufficient. You'll need:
- Your Account ID (found in the Cloudflare dashboard under Account Settings)
- An API Token with
Cloudflare Tunnel:Editpermission
-
Cloudflare account linked to your organization — Added via Settings → Cloud Accounts (see Step 1 below)
-
A server with:
- Linux (Ubuntu 20.04+, Debian 11+, or similar)
- Internet connectivity (outbound HTTPS)
curlandbashavailable- SSH server running (port 22)
- Root or sudo access
Setup Guide
Link Your Cloudflare Account
Before enabling tunnels, connect your Cloudflare account to your OEC.sh organization:
- Go to Settings → Cloud Accounts
- Click Add Cloud Account
- Select Cloudflare as the provider
- Enter your Cloudflare credentials:
- Account ID — Found in Cloudflare dashboard → Account Settings → Account ID
- API Token — Create one at Cloudflare API Tokens (opens in a new tab) with the Cloudflare Tunnel:Edit permission
- Click Save
You only need to do this once per organization. All team members can then create tunnel-connected servers.
Add a Server with Tunnel Connection
- Go to Servers in the sidebar
- Click Add Server
- Under Connection Method, select Cloudflare Tunnel
When Cloudflare Tunnel is selected:
- The IP Address field disappears (not needed)
- An info box explains the tunnel setup process
- You can check Auto-generate SSH key for convenience (recommended)
- Fill in server details:
- Name — A friendly name (e.g., "Private Data Center")
- SSH Username — Usually
root - SSH Authentication — Password or SSH key (for initial setup)
- Click Add Server
OEC.sh creates the tunnel in the background. This takes a few seconds.
Install the Tunnel on Your Server
After the server is added, you'll see a Tunnel Panel on the server detail page:
- Go to Servers → click your new server
- In the Tunnel card, click Load Script to reveal the install command
- Copy the install script
- SSH into your server (using your existing access method) and run the script as root:
# Paste and run the install script on your server
sudo bash -c '<paste script here>'The script automatically:
- Detects your server's CPU architecture (x86_64, ARM, etc.)
- Downloads and installs
cloudflared - Registers the tunnel as a systemd service
- Starts the tunnel connection
- Adds OEC.sh's SSH key to
authorized_keys(if auto-generated)
Run the script as root. It installs a system service and modifies SSH configuration. If using sudo, use sudo bash -c '...' to ensure the full script runs with root privileges.
Verify the Connection
After running the install script:
- Return to the server detail page in OEC.sh
- Click Refresh on the Tunnel panel
- The status badge should change to Connected (green)
Once connected, OEC.sh automatically:
- Runs preflight checks through the tunnel
- Installs Docker on your server
- Configures the server for Odoo deployments
- Sets up monitoring
You can now create projects and deploy environments on this server, just like any other BYOS server.
Tunnel Panel
The Tunnel panel on the server detail page shows:
| Element | Description |
|---|---|
| Status Badge | Connection state: Connected (green), Pending (yellow), Disconnected (red), Error (red) |
| Tunnel ID | Unique identifier for your tunnel (click to copy) |
| Hostname | Your tunnel's SSH hostname, e.g., t-c28352f4.oec.sh (click to copy) |
| Last Seen | Timestamp of the last tunnel activity |
| Install Script | Bash script to install and start cloudflared on your server |
| Refresh | Manually check the current tunnel status |
| Disable Tunnel | Remove the tunnel and revert to direct connection mode |
Status Indicators
- Connected — Tunnel is active. SSH and HTTP traffic flowing. Server is fully operational.
- Pending — Tunnel created but
cloudflarednot yet running on your server. Run the install script. - Disconnected — Tunnel was previously connected but
cloudflaredstopped. Check the service on your server. - Error — Something went wrong. Check troubleshooting section below.
DNS & Domains
SSH Hostname
Each tunnel server gets a unique hostname for SSH access:
t-{server-id}.oec.shFor example: t-c28352f4.oec.sh. This is a CNAME record pointing to Cloudflare's tunnel endpoint, created automatically.
Environment Domains
When you deploy Odoo environments on a tunnel server, DNS is handled automatically:
- OEC.sh creates a CNAME record pointing to your tunnel (instead of an A record pointing to an IP)
- Cloudflare terminates TLS at the edge — no Let's Encrypt certificates needed on your server
- Your environment URLs work exactly like direct servers:
https://myapp-prod-1234.apps.oec.sh
Custom domains also work with tunnel servers. DNS for custom domains should be configured with a CNAME pointing to your environment's *.apps.oec.sh subdomain.
Security
Cloudflare Tunnel provides enterprise-grade security:
- No inbound ports — Your server makes outbound-only connections. No attack surface exposed.
- Zero-trust architecture — All access goes through Cloudflare's security policies.
- Cloudflare Access — OEC.sh automatically creates Access policies to secure tunnel endpoints.
- Encrypted transit — All traffic between Cloudflare and your server is encrypted.
- DDoS protection — Cloudflare's network absorbs attacks before they reach your server.
- No public IP exposure — Your server's real IP is never revealed.
SSH Key Management
When you select Auto-generate SSH key during server creation:
- OEC.sh generates a secure 4096-bit RSA keypair
- The private key is stored encrypted in OEC.sh
- The public key is added to your server via the install script
- OEC.sh uses this key for all server management operations (deployments, preflight checks, monitoring)
Your existing SSH keys and passwords are never modified when enabling a tunnel on an existing server.
Limitations & Considerations
- Added latency — Tunnel routing adds approximately 200-400ms to SSH operations compared to direct connections. This does not noticeably affect end-user HTTP response times (Cloudflare edge caching helps).
- Plan requirement — Available on Pro plans and above.
- BYOS only — Tunnels work with your own servers, not shared servers.
- Outbound internet required — Your server must be able to reach Cloudflare's network (HTTPS outbound).
- systemd required — The
cloudflaredservice runs as a systemd unit. Non-systemd init systems are not currently supported.
Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
| Status stays Pending | Install script hasn't been run | Copy the script from the Tunnel panel and run it on your server as root |
| Status shows Disconnected | cloudflared service stopped | SSH into server and run: sudo systemctl restart cloudflared |
| Install script fails | Missing dependencies or wrong architecture | Check your server runs a supported OS (Ubuntu 20.04+, Debian 11+) and has curl installed |
| SSH connection fails through tunnel | SSH key not installed on server | Re-run the install script, or manually add OEC.sh's public key to ~/.ssh/authorized_keys |
| Preflight checks fail | Tunnel not yet connected | Wait for the status to show "Connected", then retry preflight |
| DNS not resolving for environments | CNAME record creation delayed | Wait 1-2 minutes for DNS propagation. Click "Refresh" on the tunnel panel. |
| "Cloudflare account not linked" error | No Cloudflare account in org settings | Go to Settings → Cloud Accounts and add your Cloudflare account |
| Tunnel panel not showing | Server not using tunnel connection method | Tunnel panel only appears for servers created with Cloudflare Tunnel connection method |
Checking cloudflared on Your Server
# Check service status
sudo systemctl status cloudflared
# View logs
sudo journalctl -u cloudflared --tail=50
# Restart the service
sudo systemctl restart cloudflared
# Check installed version
cloudflared --versionFAQ
Can I switch from direct SSH to Cloudflare Tunnel on an existing server?
Currently, the connection method is set when adding the server. To use a tunnel, add the server again with the Cloudflare Tunnel connection method selected.
Does the tunnel affect Odoo performance?
For end users accessing Odoo through the browser, there is no noticeable performance impact. Cloudflare's global edge network actually improves latency for users far from your server. The ~200-400ms added latency only affects SSH management operations.
What happens if the tunnel disconnects?
Your Odoo environments continue running normally on the server. However, OEC.sh cannot manage the server (deploy, backup, etc.) until the tunnel reconnects. The cloudflared service automatically reconnects after network disruptions.
Can I use a tunnel with cloud-provisioned servers?
Tunnels are designed for BYOS servers where you manage the infrastructure. Cloud-provisioned servers (DigitalOcean, Hetzner, AWS, etc.) already have public IPs and use direct SSH connections.
Is there a cost for Cloudflare Tunnel?
Cloudflare Tunnel is free to use with any Cloudflare account. You only need a Cloudflare account (also free). The Pro plan requirement is on the OEC.sh side.
How do I update cloudflared?
Run the install script again from the Tunnel panel. It will download and install the latest version, replacing the existing one.
Related Topics
- Servers Overview — Server types and management
- Custom Domains — Set up custom domains for your environments
- Firewall & Port Requirements — Ports needed for direct SSH servers
- Cloud Accounts — Cloudflare cloud account setup